Security Management (ISMS)

A comprehensive, auditable information security management system for managing risk, controls, policies, and compliance across 100+ international standards.

Overview

The ISMS module gives your organisation a single, auditable system for managing information security. Whether you are working towards ISO 27001 certification, demonstrating SOC 2 compliance, or simply need better visibility over your security posture, ISMS consolidates risk, controls, policies, incidents, and audits into one place — with every action logged and traceable.

Compliance-ready

Map your security programme to 100+ international standards including ISO 27001, SOC 2, NIST CSF, GDPR, ISO 42001, and NIS 2. Generate gap analyses and Statements of Applicability at any time.

End-to-end lifecycle

From risk identification through to control testing, policy acknowledgement, incident resolution, and audit closure — the full security management lifecycle is handled in one system.

Integrated with your platform

ISMS integrates natively with Drive for document storage, Requests for approvals and exceptions, People for training records, Procurement for vendor assessments, and the platform-wide notifications system.

Who uses ISMS?

The ISMS module is used by security managers, compliance officers, risk owners, IT administrators, and auditors. Role- based permissions ensure each person sees only what they need — risk owners manage their risks, policy authors manage their policies, and auditors review findings without accessing operational data.

Risk Management

Identify, score, treat, and monitor information security risks

The risk register is the foundation of your ISMS. Each risk has an owner, a likelihood and impact score, inherent and residual risk ratings, a treatment plan, and a review schedule. A 5×5 heat-map gives managers an at-a-glance view of your current risk landscape.

Risk scoring

Score each risk on a 1–5 scale for both likelihood and impact. The system calculates inherent risk (before controls) and residual risk (after controls) automatically. Risks are colour-coded as Low, Medium, High, or Critical based on configurable thresholds.

Treatment plans

For each risk, choose a treatment strategy — Mitigate, Accept, Transfer, or Avoid. Document the treatment plan, link it to controls, set a target residual risk rating, and track implementation progress.

Risk reviews

Schedule recurring reviews for each risk. Owners receive reminders when reviews are due, and a review history is maintained so you can show auditors that risks are regularly monitored.

Risk heat map

The ISMS dashboard includes a live 5×5 risk heat map showing both inherent and residual risk positions. Filter by category, owner, or status to focus on the areas that need attention.

Control Library

Implement, test, and track the effectiveness of your security controls

The control library holds all of your organisation's security controls. Each control can be mapped to one or more compliance frameworks, linked to the risks it mitigates, and assigned an owner responsible for implementation and testing.

Implementation tracking

Mark controls as Not Implemented, In Progress, Implemented, or Not Applicable. Track the implementation date and responsible owner.

Effectiveness testing

Record test results, testing frequency, and evidence. Controls that have not been tested recently are highlighted in the dashboard.

Framework mapping

Link each control to one or more clauses across your selected frameworks. Cross-framework mapping means one control can satisfy requirements in multiple standards simultaneously.

Policy Management

Author, publish, distribute, and retire security policies with full version control

Every organisation needs policies that employees actually read and acknowledge. The policy management module handles the entire lifecycle — from the initial draft through review, approval, publication, and eventual retirement — with version control at every step.

Policy lifecycle

Policies move through a structured workflow: Draft → Under Review → Approved → Published → Retired. Each state transition is logged with a timestamp and the name of the person who made the change.

Policy packs

Bundle related policies into a Policy Pack and distribute it to specific teams, departments, or the entire organisation. Recipients are notified and asked to acknowledge each policy. Completion rates are tracked in real time.

Version control

Every update to a published policy creates a new version. Previous versions are retained in full so you can demonstrate to auditors exactly what policy was in effect at any point in time.

Acknowledgement tracking

See at a glance who has and has not acknowledged each policy. Send automated reminders to staff with outstanding acknowledgements. Export completion reports for auditors.

Incident Management

Report, investigate, and learn from security incidents

When security incidents occur, speed and structure matter. The incident management module gives your team a consistent process for reporting, classifying, investigating, and resolving incidents — with automatic escalation and a complete audit trail from first report to closure.

Incident reporting

Anyone in the organisation can report a suspected incident. Reports capture the incident type, affected systems, initial description, and severity estimate. Security leads are notified immediately.

Classification & severity

Classify incidents by category (data breach, malware, unauthorised access, physical, etc.) and assign a severity level (Low through Critical). Severity determines the escalation path and SLA deadlines.

Investigation & resolution

Document investigation findings, root cause analysis, affected data subjects, and estimated financial impact. Track remediation tasks through to verified closure.

Lessons learned

Record lessons learned and link them to controls or policies that need updating. Prevent recurrence by converting findings directly into risk register entries.

Audits & CAPA

Plan internal and external audits, record findings, and manage corrective actions

Structured audit management ensures your organisation is always prepared for internal reviews and external certification audits. The audit module covers everything from scheduling through to finding documentation, corrective action plans, and closure verification.

Audit planning

Schedule internal and external audits with defined scope, objectives, lead auditors, and audit dates. An annual audit calendar on the ISMS dashboard shows upcoming audits so nothing is missed.

Finding types

Record findings as Major Non-Conformance, Minor Non-Conformance, Observation, or Opportunity for Improvement (OFI). Each finding includes a description, clause reference, and root cause.

Corrective actions (CAPA)

Assign corrective actions to owners with due dates. Track progress through Not Started, In Progress, and Completed states. Evidence of completion is attached before the action can be verified and closed.

Audit closure

An audit is not closed until all Major NC corrective actions have been verified. The system enforces this gate, ensuring compliance with standard requirements before generating the final audit report.

Frameworks & Compliance

Map your security programme to 100+ international compliance frameworks

The framework library contains 100+ pre-built compliance standards. Select the frameworks relevant to your organisation and map your controls to their requirements. As your control implementation improves, your compliance score updates automatically.

Supported frameworks (examples)

Information security

ISO/IEC 27001:2022, ISO/IEC 27002:2022, SOC 2 (AICPA), NIST Cybersecurity Framework (CSF 2.0), NIST SP 800-53, CIS Controls v8, ISF Standard of Good Practice

Privacy & data protection

GDPR (EU 2016/679), POPIA (South Africa), CCPA (California), ISO/IEC 27701 (Privacy Management), NIST Privacy Framework

AI & emerging technology

ISO/IEC 42001:2023 (AI Management Systems), EU AI Act, NIST AI Risk Management Framework (AI RMF 1.0)

Critical infrastructure

NIS 2 Directive (EU), NERC CIP, IEC 62443 (Industrial Cybersecurity), Essential Eight (Australian Cyber Security Centre)

Cloud & technology

ISO/IEC 27017 (Cloud Security), ISO/IEC 27018 (Cloud Privacy), CSA Cloud Controls Matrix (CCM), FedRAMP

Industry-specific

PCI DSS v4.0, HIPAA Security Rule, SWIFT CSCF, FSB Cyber Lexicon, and many more sector-specific standards

Compliance scoring

For each selected framework, the system calculates an overall compliance score based on the implementation status of mapped controls. Scores update in real time as controls are implemented and tested.

Statement of Applicability (SoA)

Generate a Statement of Applicability for any framework with one click. The SoA lists every control, its inclusion justification, implementation status, and responsible owner. It is versioned and can be exported for certification auditors.

Information Assets

Maintain an information asset register with classification and ownership

An up-to-date information asset register is a requirement of ISO 27001 and most other security standards. The asset register lets you catalogue every information asset your organisation holds, classify its sensitivity, assign an owner, and link it to the risks and controls that protect it.

Asset classification

Classify each asset as Confidential, Internal, Public, or Restricted to drive consistent handling and access controls across the organisation.

Asset ownership

Assign a business owner to every asset. Owners are responsible for reviewing the asset register entry annually and confirming that classification is still appropriate.

Risk linkage

Link assets to risks in the risk register. The system surfaces which risks affect each asset and which assets are exposed by each risk, giving a clear picture of your attack surface.

Asset categories

Categorise assets by type: Information, Software, Hardware, People, Services, or Physical. Use categories to apply consistent controls and filter the register.

Vendor Security

Assess and monitor the security posture of your third-party suppliers

Third-party risk is one of the leading causes of security incidents. The vendor security module lets you assess your suppliers' security posture, distribute questionnaires, record findings, and track remediation — all linked to your procurement panel for a complete supplier record.

Security assessments

Create structured security assessments for suppliers covering areas such as data handling, access controls, incident response, and business continuity. Assessments produce a risk score for each vendor.

Questionnaires

Send security questionnaires directly to suppliers through the Procurement supplier portal. Responses are captured automatically and feed into the vendor's risk profile.

Vendor risk register

Maintain a vendor risk register distinct from your internal risk register. Link vendor risks to contracts, assess residual risk after contractual controls, and schedule periodic re-assessments.

Staff Training & Awareness

Manage security awareness training programmes and track staff completion

Human error remains the number one cause of security incidents. The training module helps you build and track a security awareness programme that keeps staff informed of their responsibilities and the current threat landscape.

Training programmes

Create training programmes with defined content, target audiences, completion deadlines, and passing criteria. Programme types include annual mandatory training, role-specific modules, and ad-hoc awareness campaigns.

Completion tracking

Track completion at the individual and team level. Automated reminders are sent to staff approaching their deadlines. Completion rates are visible on the ISMS dashboard and in management review reports.

Certificates & competency

Issue completion certificates for successful training. Record competency levels and track expiry so re-training is scheduled automatically before certifications lapse.

Dashboards & KPIs

Real-time security dashboards, KPI tracking, and management review support

The ISMS dashboard gives management a live view of the organisation's security posture. Compliance gauges, risk heat maps, incident trend charts, and training completion rates are all visible at a glance, with the ability to drill down into any area.

KPI measurement

Define key performance indicators for your security programme — for example, percentage of controls implemented, mean time to resolve incidents, or staff training completion rate. Set Red, Amber, and Green thresholds. The system measures actual values against targets and alerts you when a KPI drops into the amber or red zone.

Management reviews

Schedule formal management reviews as required by ISO 27001 and other standards. The review workflow pulls together the latest risk register, incident summary, audit findings, KPI trends, and training completion into a single package for sign-off. Completed reviews are stored with a full record of inputs and decisions.

Module Integrations

How ISMS connects with the rest of the Datar platform

ISMS is designed to work alongside the other Datar modules rather than in isolation. Existing documents, approval workflows, people records, and supplier data are all accessible directly within the ISMS context — no duplication required.

Module	How it integrates
Document Control (Drive)	Store policy documents, audit evidence, and certificates in Drive and attach them directly to ISMS records. Version-controlled documents remain in sync.
Request Management	Route policy approvals, risk acceptance decisions, and security exception requests through the standard approval workflow. Approved requests are automatically linked to the corresponding ISMS record.
Workforce Administration (People)	Pull employee records into training programmes automatically. Completion status flows back to the ISMS training register without manual data entry.
Procurement Management	Link vendor security assessments to supplier records in the procurement panel. Vendor risk scores inform procurement decisions.
Notifications & Messages	Receive in-app and email alerts for overdue reviews, escalated incidents, approaching audit deadlines, and KPIs in the amber or red zone.
Comments (Social)	Use @mentions and comment threads on any ISMS entity — risks, controls, incidents, findings — to collaborate without switching to email.

Quick Reference

Common tasks and where to find them

Getting started

Select your compliance frameworks

Go to ISMS → Frameworks and enable the standards that apply to your organisation.

Populate the risk register

Go to ISMS → Risks and add your first risk. Assign an owner, score it, and create a treatment plan.

Import or create your control library

Go to ISMS → Controls to add controls and map them to your selected frameworks.

Publish your first policy

Go to ISMS → Policies, create a policy, move it through the approval workflow, and distribute it as a Policy Pack.

Common tasks

Report a security incident

Go to ISMS → Incidents → Report incident. Fill in the details and submit — the security team is notified automatically.

Schedule an audit

Go to ISMS → Audits → Create audit. Set the scope, assign auditors, and publish the audit plan to the calendar.

Generate a Statement of Applicability

Go to ISMS → Frameworks, select a framework, and choose Generate SoA.

Run a management review

Go to ISMS → Reviews → Create review to schedule a management review and pull together the required inputs automatically.

Permission levels

Access to ISMS is controlled by platform-wide permission levels. Administrators can configure who can view, create, edit, and approve within each section of the module. Contact your organisation administrator if you need access to an area you cannot currently see.

Did this page help you?

Your feedback helps us improve our documentation.